RATKing: mgbasa ozi ọhụrụ nwere Trojans dịpụrụ adịpụ
Na ngwụcha Mee, anyị chọpụtara mkpọsa iji kesaa Remote Access Trojan (RAT) malware—mmemme na-enye ndị na-awakpo ohere ijikwa sistemu nje butere ngwa ngwa.
Ndị otu anyị nyochara bụ ihe dị iche site n'eziokwu na ọ họrọghị ezinụlọ RAT ọ bụla maka ọrịa. Achọpụtara ọtụtụ Trojans na mwakpo n'ime mkpọsa ahụ (ha niile dị ebe niile). Site na njirimara a, otu ahụ chetaara anyị eze oke - anụ akụkọ ifo nke mejupụtara òké na ọdụ ọdụ.
A na-ewepụta ihe mbụ site na monograph nke KN Rossikov "Uke na òké dị ka òké, nke kachasị mkpa n'ụzọ akụ na ụba" (1908)
N'ịsọpụrụ ihe okike a, anyị kpọrọ otu anyị na-atụle RATKing. Na post a, anyị ga-abanye n'ụzọ zuru ezu banyere otu ndị mwakpo ahụ siri mee mwakpo ahụ, ngwa ndị ha ji mee ihe, ma kesaakwa echiche anyị gbasara atụmatụ maka mkpọsa a.
Ọganihu nke mbuso agha
Mwakpo niile na mkpọsa a mere dịka algọridim na-esonụ:
Onye ọrụ ahụ nwetara email phishing nwere njikọ na Google Drive.
N'iji njikọ ahụ, onye ahụ merụrụ ahụ ebudatara script VBS ọjọọ nke akọwapụtara ọbá akwụkwọ DLL ka ọ buru ibu ikpeazụ n'ime ndekọ Windows wee malite PowerShell iji mebie ya.
Ọbá akwụkwọ DLL gbara ụgwọ ikpeazụ - n'ezie, otu n'ime RAT nke ndị na-awakpo na-eji - n'ime usoro sistemụ wee depụta edemede VBS ka ọ rụọ ọrụ iji nweta akara n'ime igwe butere ọrịa ahụ.
E gburu ụgwọ ikpeazụ n'ime usoro ma nye onye mwakpo ahụ ikike ijikwa kọmputa bu ọrịa ahụ.
Enwere ike ịnọchite anya ya dị ka nke a:
Ọzọ, anyị ga-elekwasị anya na nkebi atọ mbụ, ebe ọ bụ na anyị nwere mmasị na usoro nnyefe malware. Anyị agaghị akọwa n'ụzọ zuru ezu usoro ọrụ nke malware n'onwe ya. Ha dị ebe niile - ma ọ bụ na-ere ya na nnọkọ pụrụ iche, ma ọ bụ kesaa ya dị ka ọrụ mepere emepe - ya mere ọ bụghị ndị otu RATKing pụrụ iche.
Nyocha nke usoro ọgụ
Nkeji 1. Email phishing
Mwakpo ahụ malitere site na onye ahụ nwetara akwụkwọ ozi ọjọọ (ndị mwakpo ahụ ji ndebiri dị iche iche na ederede; nseta ihuenyo dị n'okpuru na-egosi otu ihe atụ). Ozi ahụ nwere njikọ na ebe nchekwa ziri ezi drive.google.com, bụ́ nke e chere na o dugara na ibe nbudata akwụkwọ PDF.
Ihe atụ email phishing
Otú ọ dị, n'ezie, ọ bụghị akwụkwọ PDF ka a na-etinye ma ọlị, kama ọ bụ script VBS.
Mgbe ị pịrị na njikọ sitere na email na nseta ihuenyo dị n'elu, faịlụ aha ya bụ Cargo Flight Details.vbs. N'okwu a, ndị mwakpo ahụ agbalịghị ime ka faịlụ ahụ dị ka akwụkwọ ziri ezi.
N'otu oge ahụ, dịka akụkụ nke mkpọsa a, anyị chọpụtara otu edemede aha ya Cargo Trip Detail.pdf.vbs. Ọ nwere ike gafere maka PDF ziri ezi n'ihi na Windows na-ezochi ndọtị faịlụ na ndabara. N'ezie, na nke a, a ka nwere ike ịkpali enyo site na akara ngosi ya, nke kwekọrọ na edemede VBS.
N'oge a, onye ahụ a tara ahụhụ nwere ike ịmata aghụghọ ahụ: naanị lebakwuo anya na faịlụ ebudatara maka sekọnd. Agbanyeghị, na mkpọsa phishing dị otú ahụ, ndị na-awakpo na-adaberekarị na onye na-adịghị ege ntị ma ọ bụ onye na-eme ngwa ngwa.
Nkeji 2. VBS script arụ ọrụ
Edemede VBS, nke onye ọrụ nwere ike imepe n'amaghị ama, debanyere ọbá akwụkwọ DLL na ndekọ Windows. Ekpuchiri edemede ahụ: e dere ahịrị ndị dị na ya dị ka bytes kewapụrụ site na agwa aka ike.
Ọmụmaatụ nke edemede emechiri emechi
Algorithm deobfuscation dị nnọọ mfe: ewepụrụ agwa atọ ọ bụla na eriri ahụ emechiri emechi, emesịa dekọọ nsonaazụ ya site na base16 n'ime eriri izizi. Dịka ọmụmaatụ, site na uru 57Q53s63t72s69J70r74e2El53v68m65j6CH6Ct (nke pụtara na nseta ihuenyo dị n'elu) ahịrị pụta WScript.Shell.
Iji mebie eriri, anyị jiri ọrụ Python:
def decode_str(data_enc):
return binascii.unhexlify(''.join([data_enc[i:i+2] for i in range(0, len(data_enc), 3)]))
N'okpuru, na ahịrị 9-10, anyị na-akọwapụta uru nke nkwusa ya rụpụtara faịlụ DLL. Ọ bụ ya ka ewepụtara na ọkwa ọzọ site na iji PowerShell.
Eriri eriri nwere DLL mechiri emechi
Emere ọrụ ọ bụla dị na script VBS ka ewepụsịrị eriri ndị ahụ.
Mgbe emechara edemede ahụ, a na-akpọ ọrụ ahụ wscript.sleep - a na-eji ya arụ ọrụ igbu oge.
Na-esote, edemede ahụ na-arụ ọrụ na ndekọ Windows. O jiri teknụzụ WMI mee nke a. Site n'enyemaka ya, e mepụtara igodo pụrụ iche, a na-edekwa ahụ nke faịlụ a na-arụ ọrụ na parameter ya. Nweta ndekọ ahụ site na WMI site na iji iwu a:
nwetara data uru ndekọ aha na aha rnd_value_name - data a bụ faịlụ DLL edere na ikpo okwu .Net;
kwajuru dapụtara .Net modul n'ime usoro ebe nchekwa powershell.exe iji ọrụ [System.Threading.Thread]::GetDomain().Load()(nkọwa zuru ezu nke ọrụ Load(). dị na webụsaịtị Microsoft);
rụrụ ọrụ ahụ GUyyvmzVhebFCw]::EhwwK() - ogbugbu nke ọba akwụkwọ DLL malitere ya - na paramita vbsScriptPath, xorKey, vbsScriptName... Oke xorKey echekwara igodo maka decrypting ikpeazụ ugwo, na paramita vbsScriptPath и vbsScriptName e bufere ya ka ịdebanye aha script VBS na autorun.
Nkọwa nke ọba akwụkwọ DLL
N'ụdị ekpokọtara, bootloader dị ka nke a:
Loader n'ụdị ekpokọtara (ọrụ nke arụrụ arụrụ arụrụ n'ọbá akwụkwọ DLL ka ejiri na-acha uhie uhie)
Ihe nchekwa .Net Reactor na-echekwa bootloader. Utility de4dot na-arụ ọrụ magburu onwe ya nke iwepụ ihe nchekwa a.
Nke a loader:
tinye ụgwọ ọrụ n'ime usoro sistemụ (na ọmụmaatụ ya svchost.exe);
Etinyere m script VBS na autorun.
Ịkwụ ụgwọ ịgba ọgwụ
Ka anyị lelee ọrụ nke edemede PowerShell kpọrọ.
Ọrụ nke edemede PowerShell na-akpọ
Ọrụ a rụrụ omume ndị a:
decrypted abụọ setịpụ data (array и array2 na nseta ihuenyo). Eji gzip chịkọta ha na mbụ wee jiri igodo XOR were zoo ya xorKey;
depụtaghachiri data na mpaghara ebe nchekwa ekenyere. Data sitere na array - na ebe nchekwa na-atụ aka intPtr (payload pointer na nseta ihuenyo); data si array2 - na ebe nchekwa na-atụ aka intPtr2 (shellcode pointer na nseta ihuenyo);
akpọrọ ọrụ CallWindowProcA(описание Ọrụ a dị na webụsaịtị Microsoft) na paramita ndị a (aha nke paramita ka edepụtara n'okpuru, na nseta ihuenyo ha nọ n'otu usoro, mana yana ụkpụrụ ọrụ):
lpPrevWndFunc - pointer ka data si array2;
hWnd - ntụnye aka na eriri nwere ụzọ faịlụ nwere ike ime svchost.exe;
Msg - pointer ka data si array;
wParam, lParam - paramita ozi (na nke a, ejighị paramita ndị a ma nwee ụkpụrụ nke 0);
kere faịlụ %AppData%MicrosoftWindowsStart MenuProgramsStartup<name>.urlebe <name> - Ndị a bụ mkpụrụedemede 4 mbụ nke oke vbsScriptName (na nseta ihuenyo, mpempe koodu na omume a na-amalite site na iwu ahụ File.Copy). N'ụzọ dị otú a, malware gbakwunyere faịlụ URL na ndepụta nke faịlụ autorun mgbe onye ọrụ banyere ma si otú ahụ tinye ya na kọmputa ahụ nwere ọrịa. Faịlụ URL nwere njikọ na edemede ahụ:
Ya mere, mgbe ị na-arụ ọrụ ahụ CallWindowProcA na parameters hWnd, Msg, wParam, lParam A na-eme emume shellcode sitere n'usoro array2 ya na arụmụka hWnd и Msg. hWnd bụ ntụnye aka na eriri nwere ụzọ faịlụ nwere ike ime svchost.exena Msg - ntụle aka na ụgwọ ọrụ ikpeazụ.
Koodu shell nwetara adreesị ọrụ site na kernel32.dll и ntdll32.dll dabere na ụkpụrụ hash sitere na aha ha wee tinye ụgwọ ọrụ ikpeazụ n'ime ebe nchekwa usoro svchost.exeiji Usoro Hollowing Usoro (ị nwere ike ịgụkwu gbasara ya na nke a ederede). Mgbe ị na-agbaba koodu shell:
kere usoro svchost.exe na steeti kwụsịtụrụ na-eji ọrụ ahụ CreateProcessW;
wee zoo ihe ngosi nke ngalaba na oghere adreesị nke usoro ahụ svchost.exe iji ọrụ NtUnmapViewOfSection. Ya mere, mmemme ahụ tọhapụrụ ebe nchekwa nke usoro mbụ svchost.exeiji wepụta ebe nchekwa maka ibu ọrụ na adreesị a;
ebe nchekwa ekenyela maka ibu ọrụ na oghere adreesị usoro svchost.exe iji ọrụ VirtualAllocEx;
Mmalite nke usoro ịgba ọgwụ
dere ọdịnaya nke ugwo n'ime oghere adreesị usoro svchost.exe iji ọrụ WriteProcessMemory (dị ka nseta ihuenyo dị n'okpuru);
N'ihi omume ndị a akọwara, etinyere otu n'ime malware klaasị RAT na sistemu nje ahụ. Tebụl dị n'okpuru na-edepụta malware ejiri na mwakpo ahụ, nke anyị nwere ike iji obi ike kwuo na ọ bụ otu ndị na-awakpo, ebe ọ bụ na ihe nlele ahụ nwetara otu ihe nkesa na njikwa.
Ọmụmatụ nke malware kesara nwere otu ihe nkesa njikwa
Ihe abụọ kwesịrị ịrịba ama ebe a.
Nke mbụ, eziokwu ahụ bụ na ndị mwakpo ahụ ji ọtụtụ ezinụlọ RAT dị iche iche n'otu oge. Omume a abụghị ihe a na-ahụkarị maka ndị otu cyber ama ama, bụ ndị na-ejikarị ihe dị ka otu ngwaọrụ ndị ha maara.
Nke abuo, RATKing ji malware nke a na-ere na forums pụrụ iche maka ọnụ ala dị ala, ma ọ bụ ọbụna ọrụ mepere emepe.
A na-enye ndepụta malware zuru oke nke ejiri na mgbasa ozi-nke nwere otu caveat dị mkpa-na njedebe nke akụkọ ahụ.
Banyere otu
Anyị enweghị ike ikwu na mkpọsa obi ọjọọ akọwara sitere na ndị mwakpo ọ bụla ama ama. Maka ugbu a, anyị kwenyere na ọ bụ otu ọhụrụ bụ isi mere mwakpo ndị a. Dịka anyị dere na mbido, anyị kpọrọ ya RATKing.
Iji mepụta edemede VBS, otu ahụ nwere ike iji ngwa ọrụ yiri nke ahụ VBS-Crypter site na onye mmepụta NYAN-x-CAT. E gosiputara nke a site na myirịta nke edemede nke mmemme a na-emepụta na edemede ndị mwakpo ahụ. Karịsịa, ha abụọ:
jiri ọrụ ahụ rụọ ọrụ igbu oge Sleep;
jiri WMI;
debanye aha ahụ nke faịlụ executable dị ka paramita igodo ndekọ;
Mepụta faịlụ a site na iji PowerShell na oghere adreesị nke ya.
Maka idoanya, tulee iwu PowerShell iji mee faịlụ site na ndekọ, nke edemede emepụtara site na iji VBS-Crypter:
Rịba ama na ndị mwakpo ahụ jiri akụrụngwa ọzọ sitere na NYAN-x-CAT dịka otu n'ime ụgwọ akwụ ụgwọ - LimeRAT.
Adreesị nke sava C&C na-egosi akụkụ ọzọ pụrụ iche nke RATKing: otu ahụ na-ahọrọ ọrụ DNS dị ike (lee ndepụta C&C na tebụl IoC).
IoC
Tebụl dị n'okpuru na-enye ndepụta VBS zuru oke nke nwere ike ịsị na mgbasa ozi akọwara. Edemede ndị a niile yitere ma na-eme ihe dịka otu usoro omume. Ha niile na-etinye malware klas RAT n'ime usoro Windows ntụkwasị obi. Ha niile nwere adreesị C&C debara aha site na iji ọrụ Dynamic DNS.
Agbanyeghị, anyị enweghị ike ikwu na otu ndị mwakpo kesara edemede ndị a niile, ewezuga ihe nlele nwere otu adreesị C&C (dịka ọmụmaatụ, kimjoy007.dyndns.org).